October Chat with the IE Team on Thursday

Join members of the Internet Explorer team for an Expert Zone chat next Thursday, October 16th at 10.00 PDT/17.00 UTC. These chats are a great opportunity to have your questions answered by members of the IE product team. Thank you to all who have attended the chats to date!

Nice to hear this. Actually I am developing a BHO using caching objects related to process of IE. It works fine in IE7. Even in IE8 Beta 1 its working well. But in Beta2 the process is changing frequently it is very difficult to maintain the cache.

Beta 2 is definately a big improvement over Beta 1 (or as the rest of the web calls it, IE8 Alpha 1) but it is far from ready for prime time (too many regression bugs to count, and so many major bugs from before that simply aren’t addressed yet, and no we are not talking about implementing new features like native SVG, we’re talking majorly broken DOM issues, z-index issues, filter:alpha regressions and all that mess.

Will the chat on thursday (I will miss yet again! please spice this up with other days of the wee, and time.) explain when the ETA is for Beta 3? With an RC due before Christmas, it doesn’t leave much time for the real beta to be released and tested.

Installed the beta IE8 2 weeks ago but had to uninstall (which restores your previous IE7 by the way) because IE8 was not recognized as a new IE version by my Wells Fargo Online Banking provider. I like 8 so far but I’ll need a beta that is recognized by my usual list of Trusted sites at minimum if I’m going to install it again one of these days.

IE team please please fix this bug where the width of the Favorites/Feeds/History pane is not remembered when it is pinned. This bug wasn’t present in IE7. I’ve reported it on Connect but MS isn’t taking notice.

Beta 3 ? Did not think there would be a beta 3. Hopefully, Microsoft stops locking up the UI and allows their customers a choice. Will have to wait and see. I’ve pretty much have giving up hope with Microsoft, because so far IE 8 for me is "Life with Walls" Would love to see anyone from Microsoft comment on why locking up the UI is better, so far they never have. Don’t think they ever will.

Interesting stuff came up lately. With IE8 Beta 2, Flash movies loading slows down entire CSS and DOM rendering. See my URL for instance. It does not happen with IE6 WinXP, IE7 Win Vista, yet happens IE8 beta 2, loading advertisements slows down CSS menus and mouse overs and responsiveness entirely while it does not with any other browser including previous versions of IE.

So how about also supporting ieaddons.com for more languages. Now only English, German and Chinese are supported. However I would like a Dutch version as well, since many Dutch IE users don’t care about the NY Times.

I am looking forward to Internet Explorer 8 beta 3 and yes there certainly should be a beta 3 because Internet Explorer 8 is great but certainly not ready for prime time yet. Heck, I still prefer Mozilla Firefox 2.x over Mozilla Firefox 3.x because it does all that I need it to do and FF 3.x still does not support all the extensions that I like to use. IE 6.x is still used at my workplace and IE 7.x was rushed too quickly out the door in my opinion and has issues but certainly nice new features. It would be great if Microsoft had the browser as a separate component and the user could choose when they installed Windows to use IE, FF, or perhaps Opera depending on what they like best. Apple’s Safari is a joke as well in terms of security and I have only seen Firefox and IE 7.x in Windows Vista capable of taking advantage of 256 bit AES cipher strength while everyone seems contented with 128 bit cipher strength but then why would Bank of America have so many log in steps and a Charles Schwab have only one log in step and the reason is Bank of America only supports a maximum of 128 bit cipher strength while Charles Schwab has 256 bit AES cipher strength when using Mozilla Firefox 2.x, 3.x and IE 7 within Windows Vista. I am surprised and disappointed this issue has not taken on more importance and ask IE 8.x to please support 256 bit AES encryption for Windows XP Professional to help keep us all safer out there. Heck, even within Windows 98 Second Edition you can have pages with 256 bit cipher strength with Mozilla Firefox 2.x and that just goes to show Microsoft is way behind on the security issue at least with Internet Explorer.

DanW: The number of login steps on the financial sites you mention has absolutely nothing to do with the SSL ciphers they support. It’s due to the fact that BoA is a retail bank and is thus covered by the recent banking guideline recommending two-factor authentication.

While it’s true that 256bit AES was introduced in IE7 for Windows Vista, 128bit SSL encryption remains unbroken in practical use. While there are many attacks against browsers in the wild, crypto attacks against 128 bit ciphers are not among them.

ActiveX prompts kinda ring a "this is not completely thought through and safe" bell with me. I mean one issue is when you are navigating from one page to another, creating a new tab, and the new tab has to ask for permission to run ActiveX. The ActiveX prompt dialog usually appear as if it had something to do with the first page, although in reality it is the new second page that is asking for permissions. This is confusing. And sometimes the ActiveX dialog box may not even be visible without kind of searching for it, so in the meantime the page behind the dialog hangs. In the eyes of a novice user this would seem like a browser or tab hang and would prompt a "end process" and then error reporting and so on. Another issue I would like to mention is how active content prompts are so easy to answer wrong when you’re in a hurry or otherwise stressed. There could be some optional double confirmation and/or input delay feature to reduce risk of accidentally letting malicious content execute. Also, the way in which these prompt dialogs appear is just annoying. I mean, why not somehow integrate the prompts into the rendering engine window, much like the information bar that tell us when content may be missing. This would allow closing a tab without manually having to answer a lot of ActiveX prompts, it would just default to "No" on its own. This feature would of course benefit from some kind of visual indiciation that a tab needs attention. Just draw some kind of color or pattern to the top of each tab needing attention, much like how a similar coloring appear on WinXp manifested tabs when you point the mouse cursor at them. Instead of just a plain color like that, we could use some patterning, perhaps like a "construction" pattern with alternating diagonal yellow and black bars, but still the same amount of screen area as the manifest coloring. Lastly I would like to mention how I miss being able to save a temporary tab group upon closing IE. I mean, one day I may be reading four technical articles and when night time kicks in, I may have to add the tabs to a Favorites folder or make these new shortcut buttons above the tab bar. This seems tedious. If we could just have more of the "restore last session" feature that is used after IE have abornmally closed, it would be easier. Make a dedicated mode button or checkbox or something for this.

@Rune you are right about the security zones. They are horribly outdated, but more importantly they are just simply not used by anyone because they are so annoying.

There are only 2 zones. There only ever has been 2 zones, and all browsers support them.

zone 1: Sites I trust

zone 2: Sites I don’t trust

There ARE NO OTHER ZONES. The fact that IE insists on trying to layer 2 more zones in there simply complicates things and users have no idea why a page does or doesn’t work.

Every user I’ve seen having issues with a site, simply turns on more and more features until the site works. Does it need to run unsigned ActiveX? they don’t know, and quite frankly they don’t care. They just want the site they need to work.

***If*** MSFT insists on keeping this goofy "feature" (massive air quotes on ‘feature’) please for the love of pete enlarge the options box to AT LEAST TWICE ITS CURRENT LOCKED DIMENSIONS! or better yet, make it scale like well designed dialog boxes.

Every time I see a user on IE I see them suffering with the UI, or the backwards design of the "features" within IE. I agree that fixing CSS/JavaScript are high priorities for IE but the UI has not been fixed since IE4 and it shows.

If I was going to give the IE options dialog box a rating out of 10 for how well designed it is, and how usable it is?…. I would have to rate it a -6 (thats right, negative 6 out of 10)

I have only ever seen 1 dialog designed worse, and it was on an application that ceased development in 1997.

Forged links in web pages (also in Outlook e-mails) could be more easily detected using some kind of "security advisor" code that would use one or more ways of indicating to the user if a link may have been forged. In some cases forgery indication may produce false positives, so indication may have to present a "threat likelihood percentage" to the user. One way to display a indication would be to visually mark a link during rendering of the web page, and perhaps turn off conflicting CSS effects for that link. Also, on pointing the mouse cursor at such a link, some kind of tooltip hint with information could be displayed. As for how to detect a forged link, one way would be to check if the in-page link text could look like a URL and then check it against the link’s href value, warning the user if there would be a suspicious difference. A blacklist of known bad href’s could also be usefull, although a huge href index could cause rendering slowdown, so that could need some optimization. Make sure to check e-mail addresses also, and warn the web page reader (in the case of HTML e-mail reading) of the likelihood of responding to a otherwise safe looking e-mail. Some may claim that this is a antivirus software suite’s job, but if these basics were integrated into the browser it would be more standardized and easier for novice users to memorize how to use. As for forged banking pages, perhaps a whitelist of known good sites and their keywords would help indicate to a user if they may be visiting a forged banking website. Anyway, maybe this is already in the phishing filter 🙂

You can restore the tabset you had open when you last closed IE. Visit the "about:tabs" page (the default for a new tab) and click "Reopen last browsing session."

The IE8 SmartScreen filter attacks malicious sites in a far more reliable way than attempting to detect "forged" hyperlinks. The IE7/IE8 Filter blocks millions of navigations to malicious sites every month.

@Bo: The chat is at Noon in US Central time.

@Tyrone: Virtually every company with an Intranet uses zones heavily, even if the user doesn’t realize it. Also, most users end up using the Local Computer zone from time to time, again, even if they don’t realize it. While Zones definitely are difficult to understand and can be a source of confusion, that’s because the problem of how to assign a mixed set of permissions (many of which are difficult to understand) to potentially thousands of sites is not a simple one. Most users, however, never have any need to adjust zone settings, and can simply move sites to the Trusted Zone if needed.

@EricLaw [MSFT] you obviously haven’t worked or seen inside many companies that aren’t an MS-only shop.

There is no Intranet zone in Firefox, but it doesn’t need one because it doesn’t run JScript or activex

All I know, is of the 2-400 users I’ve ever done tech support for… ZERO of them understood ANY aspect of the 4 zones. NONE of them had a clue where or what to change if something wasn’t working.

0% sounds like a usability issue in my books.

Regardless the Point still stands on the usability of the UI of that dialog. There are no worse dialogs out there, none.

Ask Bill Hill if he likes it? Ask Bill Gates if he likes it? ask Steve Balmer if he likes it? ask ANYONE if they like it. It screems "we’re stuck in 1995! please help us!" oh wait, not open source, can’t.

@EricLaw: I am referring to a simple dialog box displayed when IE is set to prompt for permission to use ActiveX and I am visiting say, a news website with ActiveX enabled ads and video and such. The dialog window reads "Do you want to allow software such as ActiveX controls and plug-ins to run?". The dialog has two buttons, Yes and No, apart from the system Close (X) button in the caption/title bar.

In addition to what I mentioned in my previous post I would like to see a "No to all" button. As is I have to hammer that No button quite often if I am going to keep using the ActiveX prompts. Also, it may have been nice to have had some kind of ruleset for each page or domain that one would visit. Part of the ruleset may be a permanent "No to all" to deny all ActiveX controls on a given visited page. Next time I would visit the same page, I would not get any prompts, just a handy little main menu button for easily removing ruleset items should I change my mind.

The other day I was doing some work and I was viewing like four different pages. Eventually I had to shut down my computer. The next day however I could not just pick up where I had left off. Having to run a online banking errand for a family member, I was like "oh no, now I can’t use the restore tabs feature". Such a errand make me restart IE even if there may be improved process seperation in IE8 so, after that restart I guess my tabs were replaced with the banking site tab. Not that I tested it though. Anyway, what if I had been working on more projects requiring reading more groups of pages, all temporary. The Favorites folders are already littered with hundreds of pages and I kinda feel like a seperate place for short term temporary links would have been nice to have. IE already has a "Add to Favorites Bar" feature for single pages. Doing the same for all active tabs would save having to manage folders and stuff in the main Favorites. Saved tab groups may be made available as items in a dropdown menu. Clicking a dropdown menu item would open those tabs again and remove the item automatically (may be optional).

You’re right, SmartScreen does the forgery detection more efficiently as it may be able to detect navigation patterns made by not only the usual links (DOM link nodes) but also by other navigation activation points (Scripts, ActiveX controls, etc). I still do not get any warnings from SmartScreen if I recieve a e-mail that is clearly forged. To my knowdledge there are no indicator gauges to help novices work around the "view message source" scenario. A malicious e-mail would just be recieved silently like any other e-mail, waiting for somebody to click one of its links or follow some other information that it carries.

Another thing I would like to mention is how IE seem to reduce palette colors for certain images. I have made a start page that is located on my C drive. The page is very simple with HTML and CSS, using table as a way of aligning links on screen. One of the tables have a background picture set (jpg). This picture is what sometimes suffer from palette reduction. I think I have observed this in IE8. Perhaps not as often so I am not sure if I recall. IE7 certainly had this behaviour. Memory useage does not seem likely to trigger this behaviour as my page with its graphics is pretty optimized and small. The palette seemed to be set to 16 colors, or at least something less than 256. What otherwise looks smooth would turn into something awfully blocky. Appears to occur randomly.

tyrone, when you accuse others of ignorance and then make a long post explaining that ~they~ must be ignorant because YOU don’t understand something, it makes you look pretty silly. Even firefox has zones, even if you didn’t notice. They’ve got a "chrome" zone that their XUL respects. Firefox’s about:config is nice, but normal users don’t understand that either, and it’s the closest comparison to the IE internet control panel.

Please add built-in support for vector graphics. Bitmapped page menu icons or link bullets/arrows just look bad if size increases with the already scalable text fonts, or if it’s as just a tiny dot while text size is increased. If vector graphics are made 3D it would have been even better. Rotateable. Could use JavaScript to do some cool stuff. Being able to display multiple 3D objects on a single canvas could allow easy presentation of charts (graphs and piecharts and such). Also, a canvas for simple 2D pixel plotting would have been awesome. This could be the same as the 3D canvas. This is probably not completely standardized yet so, I understand if we may have to wait for some brainstorming between browser vendors here.

What if we could have a additional menu option in the link right-click context (dropdown) menu, one that would do the same thing as "Open in New Tab" only supressing any active content prompts such as the ActiveX Yes/No dialogs. This way, if we know we won’t be using ActiveX anyway, why not let the browser supress that stuff for that particular page refresh/load and we would save ourselves some clicking, and we could perhaps save some web server traffic.

In order to avoid making one or two extra lines in the link right-click context menu, there could be a extra column of items to the right of "Open in New Tab" and "Open in New Window". The extra column would only show for the items that it is usefull to. No traditional submenus to click or wait for.

I think the "mixed zone" issue isn’t really something that IE canm fix, if it is a matter of lost context. This is something this blog alerted me to; that many sites exract HTML from multiple origins and mash this up to the point that it is no longer clear as to which frame comes from where.

That kills the ability to blocjk on a per-site basis, and there goes much of the value of Spyware Blaster, Spybot etc. that populate the Restricted Zone with blacklisted sites.

Let’s say URL X is known to be bad, and blacklisted via Spyware Blaster (i.e. added to Restricted Zone). You visit site Y, which displays banner ads in a frame, and one such ad is from URL X. If that URL is still visible with respect to the fram, you’d be OK; if it were re-URL’s as per the banner add provider that’s passing X’s material through, you aren’t.

Let’s take that further; say Site Y doesn’t pull content from sites like X into separate frames, but "digests" it into its own HTML that is presented as being natively from Y itself. You’d have to rely on Y’s ability to strip out hostile code etc. in the digestion process… not a good place to place your bets.

Now let’s say you’re IE8, and you have enough awareness that site Y is in fact mashing up streams from other sites, and you know you can’t determine their origin. You know you have a non-empty Restricted Zone list, so you know you cannot just treat all unknown sites as Internet Zone.

Do you render the site as being all from URL Y, and therefore OK a la Internet Zone?

Or do you throw up an alert that this is a mixed-zone site, and prompt to continue?

That’s a brilliant suggestion: On the right-click, (or maybe via Shift+Right-click), offer "Open / open in new window / tab without active content", so that we can pre-select our response for those pop-up prompts at the same time we initiate the action (handy for those who don’t have those prompts set; may reduce the need for them).

As it is, I toss off new tabs via "open in a new tab" all the time, while I carry on reading the page I’m on. Especially in Wikipedia, heh… so what then happens is, I have a bunch of pages all stalled on user prompts to allow scripting, etc.

Now that could cause resource issues within the browser that "normal" testing doesn’t pick up.

Let’s say rendering each page starts off with low resources, grabs a lot of resources, then releases these resources when done. But if it stalls on a prompt, it’s not "done", so there’s a bulged resource allocation for every stalled tab and window. Ouch!

Now consider a typical browsing session; you have opened and read 12 tabs, and kicked open another 27 tabs, of which you only read (and thus responded to) 6 of these. Now you shut down the browser, or Windows, and it has to clean up 21 tabs that are in that "waiting for response" state.

That’s prolly going to be uglier that the usual exit procedure, which IMO is the #1 performance metric.

Consider: Start a browser, with no or few "home pages". No sweat; some code has be dragged up off disk, maybe some other RAM contents have to be bumped or flushed, but it’s not a big thing. Fine.

Open a new page or tab – also not a big thing; fine.

Now close down 37 tabs at once… even if the process of closing a tab takes half as long as opening it, this is still a piggy 15 times longer to wait than any of the other things we did. As geeks, we know that getting out (destructors and cleanup) can be as much work as starting up, but users’ intuition is that this is easy, so why does it take so loooong?

Now consider why one might want to close the browser in the first place; your laptop battery is running out, or you need to pack up and go. You really do NOT want to sit around waiting for stuff (sore point with those wretched updates!), and you may well just kill the power or hit the reset button instead.

Now Windows will paper over the effects of that bad exit, on the "kill, bury, deny" principle. AutoChk will "fix" and NTFS may smoothly roll back you work-in-progress to "this work never existed" status… and maybe that will avoid system bit-rot, and maybe it won’t (think interrupted SR and registry flush, for example). It’s still Bad.

Yes, those are the pop-up prompts one sees when a security properties setting is set to Prompt, rather than Enable or Disable.

Prompt is a great way to see what sites are trying to do, but these days, the ubiquity of scripting gives one "prompt fatigue".

What Steiner’s on to, the opportunity to make "zone" decisions on the fly, as part of the process of launching stuff. This is a good example of a general concept; the need for explicit "run" vs. "view" vs. "edit" primitives, to replace the dangerously-dumbed-down "open" (i.e. "use me").

Tyrone: Zones may look as if they are part of IE, but they aren’t – they are system-wide, as are some other "Internet" things that MS has (perhaps unwisely) UI’d via IE’s Tools, Options. Firefox uses the same zones (now).

If you go Control Panel, Internet, then zones, connection settings make more sense… it was perhaps a mistake to UI these via IE’s Tools, Options, as that creates the impression they are part of the browser only.

I’d rather see a tabular format enabling me to see more settings at once, and see what’s enabled / disabled / etc. at a glance (e.g. blobs in columns) so that a changed setting stands out for my attention.

And I want a button to interactively save and restore settings, not just on this dialog, but on EVERY dialog that writes settings to registry. Why should only pro-IT group policy hounds have the ability to do this?

While it’s true that 256bit AES was introduced in IE7 for Windows Vista, 128bit SSL encryption remains unbroken in practical use. While there are many attacks against browsers in the wild, crypto attacks against 128 bit ciphers are not among them.

Sometimes when I switch between tabs in IE, I unexpectedly get this red, barred circle mouse cursor indicating I cannot drop something on the page I am viewing. This is obviously a tab that has been dragged. This can be confusing and annoying.

Perhaps tab dragging could be timed so that I would have to hold that mouse button to confirm that I really want dragging. Another way to confirm dragging could be to require a certain travel distance for the mouse cursor before dragging. Also a short, subtle sound could be played back to indicate when I am actually dragging something. Play the sound just before dragging kicks in, and at the time dragging does kick in. That way one could learn to time button releases to avoid unwanted dragging. The sound could be just a short, low-volume beep (should compress nicely too).

To me it is not so important to be able to change such a sound, but the ability to turn it on and off would be great.